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a A T M S 

l.^^ethod designed to prove to a controller entity, 

- the\authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 
by means\of all or part of the following parameters or 

5 derivatives of theism parameters: 

- m pairs of pHyate values Q lf Q 2 , ... Q m and public values 
G,,G 2 , ... G m (m being\reater than or equal to 1), 

- a public modulusv n constituted by the product of f 
prime factors p,, p 2 , ... p f Cf being greater than or equal to 2), 

10 the said modulus and tt\e said private and public values 

being related by relations of tlite following type 

Gj. = Qi v . mod n oXGj. = Q, v . mod n 
where v denotes a public exponent of the form: 

v = 2 k \ 
15 where k is a security parameter greater than 1 ; 

the said m public values Gi being squares gi of m distinct 
base numbers gi, g 2 , ... gm, smaller than th\f prime factors pi, 

P2. ••• Pm | ; \ 

the said pi, p2, ... Pm prime factors and \ or the said m 
20 base numbers gi, g 2 , ... .gm being produced such that the 
following conditions are satisfied: \ 
First condition \ 
each of the equations: \ 

x v = gi 2 mod n (1) \ 
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;an be resolved in x in the ring of integers modulo n ; 
Secon x d\ condition 

if G s Qj V mod n, among the m numbers q t obtained by 
taking Qi\quared modulo n, k-1 times, one of them is not 
equal to ^giVin other words is not trivial), 

if Gi.Qi V V 1 mod n, among the m numbers qi obtained by 
taking the inverse of Qi modulo n squared modulo n, k-1 

is not equal to ±gi (in other words is not 



\ 



inve 

times, one of th 
trivial) ; 
Third condition \ 
at least one of 



35 



he 2m equations 
2 = giinod n (2) 
~ = -gimod n (3) 
can be resolved in x\in the ring of integers modulo n ; 
the said method implements, in the following steps, an 
entity called a witness having f prime factors pi and/or m 
numbers of base gi and/or parameters of the Chinese 
remainders of the prime factory and/or the public modulus n 
and/or the m private values Qi and/or the f.m components Q i(j 
(Qi j = Qj mod pj) of the private\values Qi and of the public 
exponent v; 

- the witness computes commitments R in the ring of 
integers modulo n; each commitment^ being computed: 
. either by performing operations \pf the type 

R = r v mod n 
where r is a random value such that l\ < r < n, 
. or 

.. by performing operations\ of the type 
Ri siy mod pi 

where r\ is a random value associated Vith the prime 
number Pj such that 0 < v { < P it each v { belonging \o a collection 
of random values {r 1 , r 2 , ... r f } 

.. then by applying the Chinese remainders method, 
- the witness receives one or more challenges d; each 
challenge d comprising m integers d Y hereinafter called 
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v elementary challenges; the witness, on the basis of each 
ishallenge d, computes a response D by performing operations 
of\he type: 

\ r.Q, dl .Q 2 d2 ... Q m dm mod n 

5 \r 

\ .. by performing operations of the type: 
\ Di-r^Qi/ 1 ^,/ 2 ... Qi, m dm mod Pi 
..\then by applying the Chinese remainders method; 
the said\nethod being such that there are as many 
10 responses D a^ there are challenges d as there are 
commitments R, e^ch group of numbers R, d, D forming a 
triplet referenced {R,Ni, D}. 

2. Method according to claim 1, designed to prove the 
authenticity of an entity Noiown as a demonstrator to an entity 
15 known as the controlled the said demonstrator entity 
comprising the witness; \ 

the said demonstrator and controller entities executing the 

. Step 1: act of commitment R 

20 - at each call, the witness computes each commitment R 

by applying the process specified according to claim 1, 

the demonstrator sends the exmtroller all or part of 
each commitment R, \ 
. Step 2: act of challenge d \ 
25 - the controller, after having received \ll or part of each 

commitment R, produces challenges d whose \number is equal 
to the number of commitments R and sends theXchallenges d to 
the demonstrator, \ 
. Step 3: act of response D \ 
30 - the witness computes the responses D\from the 

challenges d by applying the process specified according to 
claim 1, \ 
. Step 4: act of checking \ 
- the demonstrator sends each response D to\ the 
35 controller, \ 
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ise where the demonstrator has transmitted a 
part of\ each commitment R if the demonstrator has 
transmittecK a part of each commitment R, the controller, 
having the \m public values G h G 2 G m , computes a 

reconstructed commitment R\ from each challenge d and each 
response D, thiX reconstructed commitment R' satisfying a 
relationship of the\type: 



R' = T& Ui .G 2 d2 . ... G m 
or a relationshipXof the type 

R^ D v A dl .G 2 d2 . ... G m dm . mod n 
the controller ascertains that each reconstructed 
commitment R' reproduces\all or part of each commitment R 
that has been transmitted to \t, 

case where the demonstrator has transmitted the 
totality of each commitment 

if the demonstrator has transmitted the totality of each 
commitment R, the controller, having the m public values Gi, 
G 2 ,... G m , ascertains that each commitment R satisfies a 
relationship of the type 

,mod n 

or a relationship of the type 

R^ D7Gi dl .G 2 d2 . ... G m dm . mod 

3. Method according to claim 1, designed to provide 
proof to an entity, known as the controller entity, of the 
integrity of a message M associated with an entky called a 
demonstrator entity, the said demonstrator entity \omprising 
the witness ; 

the said demonstrator and controller entities executing the 
following steps: 

. Step 1: act of commitment R 

- at each call, the witness computes each commitment\ R 
by applying the process specified according to claim 1, 
. Step 2: act of challenge d 



dm 



D v mod n 





- the demonstrator applies a hashing function h whose 
argurfrents are the message M and all or part of each 
commitment R to compute at least one token T, 

- thK demonstrator sends the token T to the controller, 

5 - the\ controller, after having received a Token T, 

produces challenges d equal in number to the number of 
commitments \|i and sends the challenges d to the 
demonstrator, 

. Step 3: ac\ of response D 
10 - the witness\ computes the responses D from the 

challenges d by applying the process specified according to 
claim 1, 

. Step 4: act of dhecking 

- the demonstrator \sends each response D to the 

1 5 controller, 

- the controller, having tfte m public values Gi, G 2 , G 



computes a reconstructed c^mnmitment R\ from each 
challenge d and each respons^e D, this reconstructed 
commitment R' satisfying a relationship of the type: 
20 R* ^ G 1 dl .G 2 d2 . ... G m dn \D v mod n 

or a relationship of the type 

R^ DVG 1 d, .G 2 d2 . ... G m dm .Vod n 

- then the controller applies the ^hashing function h 
whose arguments are the message M and all or part of each 

25 reconstructed commitment R' to reconstruct the token T, 

- then the controller ascertains that the token T is 
identical to the token T transmitted. 

4. Method according to claim 1, designed toNproduce the 
digital signature of a message M by an entity known as the 
30 signing entity, the said signing entity comprising the fitness; 
Signing operation 

the said signing entity executes a signing operation in 
order to obtain a signed message comprising: 

- the message M, 
35 - the challenges d and/or the commitments R, 
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the responses D; 
the said signing entity executes the signing operation by 
implementing the following steps: 

itep 1: act of commitment R 

atVach call, the witness computes each commitment R 
by applyingythe process specified according to claim 1, 
. Step N2: act of challenge d 

- the signing entity applies a hashing function h whose 
arguments are \he message M and each commitment R to 
obtain a binary t\in, 

nnary train, the signing entity extracts 
challenges d whose\ number is equal to the number of 
commitments R, 

. Step 3: act of Ysesponse D 

- the witness competes the responses D from the 
challenges d by applying tne process specified according to 
claim L 

5. Method according to claim 4, designed to prove the 
authenticity of the message M by\checking the signed message 
through an entity called a controlk 
Checking operation 

the said controller entity havihg the signed message 
executes a checking operation by proceeding as follows: 

. case where the controller has commitments R, 
challenges d, responses D, 

if the controller has commitments \R, challenges d, 
responses D, 

. . the controller ascertains that the commitments R, the 
challenges d and the responses D satisfy relationships of the 
type 



d2 



R ^ G, dl .G 2 d2 . ... G m dm D v mod n 
or relationships of the type 



R ^ D7G 1 dI .G 2 az . ... G 
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dm 
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. . the controller ascertains that the message M, the 
challenges d and the commitments R satisfy the hashing 
function 

\ d = h (message, R) 

\ . case where the controller has challenges d 

and Responses D 

i\ the controller has challenges d and responses D, 
. . the controller reconstructs, on the basis of each 
challenge ck and response D, commitments R' satisfying 
relationships of the type: 

V = G! dl .G 2 d2 . ... G m dm . D v mod n 

or relationships of the type 

R^D v /G! dl .G 2 d2 . ... G m dm . mod n 
. . the controlled ascertains that the message M and the 
challenges d satisfy the hashing function 

\ d=h(message,R') 
. case where the Ncontroller has commitments R 
and responses D \ 

if the controller has commitments R and responses D, 

. . the controller applies the hashing function and 

reconstructs d' \ 
d' = h (message, R) \ 
. . the controller ascertains tha>t^ the commitments R, the 

challenges d' and the responses D satisfy relationships of the 

type: 



R = G! dl .G 2 



d2 ... G m dm . D v 



or relationships of the type 



R es D7Gi d, .G 2 



d2 



dm 



6. System designed to prove, to a controller server, 

- the authenticity of an entity and/or 

- the integrity of a message M associated writh this entity, 
by means of all or part of the following parameters or 

derivatives of these parameters: 

- m pairs of private values Q lf Q 2 , ... Q m and public values 
G!,G 2 , ... G m (m being greater than or equal to 1), 
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- a public modulus n constituted by the product of f 
prime \f actors p,, p 2 , ... Pf (f being greater than or equal to 2), 

said modulus and the said private and public values 
being related by relations of the following type: 

Gi.Qi v = 1. mod n or G| s Q ; v mod n; 
where V denotes a public exponent of the form: 

v = 2 k 

where k ^ a security parameter greater than 1; 
the said m publi\ values G* being squares gj 2 of m distinct base 
numbers g ls g 2 , .\ g m . smaller than the f prime factors pi, p 2 , 

Pf ; 

the said p l9 p2»\ - Pf prime factors and/or the said m base 
numbers gi, g 2 , ... gn\being produced such that the following 
conditions are satisfied) 
First condition 

each of the equation^ 

* 2 mod n (1) 

can be resolved in x in bhe ring of integers modulo n ; 
Second condition 

if Gi Qi V mod n, among the m numbers qi obtained by 
taking Qi squared modulo n, k-K times, one of them is not 
equal to ±g\ (in other words is not trivial). 

if Gi.Qi V 1 mod n, among the rta numbers qi obtained by 
taking the inverse of Qi modulo n Squared modulo n, k-1 
times, one of them is not equal to ±gi \n other words is not 
trivial) 

Third condition 

at least one of the 2m equations 

x 2 = gimod n (2) 
x 2 = -gimod n (3) 
can be resolved in x in the ring of integers modulo n; 
the said system comprises a witness device\ contained 
especially in a nomad object which, for example, \takes the 
form of a microprocessor-based bank card, 
the witness device comprises 




- a memory zone containing the f prime factors p t and/or 
the nl numbers of bases gi and/or parameters of the Chinese 
remainders of the prime factors and/or the public modulus n 
and/or tnfc m private values Qi and/or the f.m components Qij 

5 (Qi j s= Qj mod pj) of the private values Qi and of the public 
exponent v; 

the said witne^ device also comprises 

- random Value production means, hereinafter called 
random value production means of the witness device, 
10 - computation \means, hereinafter called means for the 

computation of commitments R of the witness device, to 
compute commitments\ R in the ring of integers modulo n; 
each commitment beingV computed: 

• either by performing operations of the type: 

15 Ri = X mod n 

where r is a random value produced by the random value 
production means, and r is such\hat 0 < r < n ; 

• or by performing operations of the type : 

Ri = ri V mod pi 

20 where r { is a random value associated with the prime 

number pi such that 0 < r\ < p\ each rjVjelonging to a collection 
of random values {r h r 2 ,... r f } produced by random value 
production means, then by applying the. Chinese remainders 
method; \ 

25 the said witness device also comprisesx 

- reception means hereinafter called the means for the 
reception of the challenges d of the witness device, to receive 
one or more challenges d; each challenge d ^comprising m 
integers d { hereinafter called elementary challenge 

30 - computation means, hereinafter called meks for the 

computation of the responses D of the witness devio^ for the 
computation, on the basis of each challenge d, of a Response 
D, 

. either by performing operations of the type: 
35 D = r.Q 1 dl .Q 2 d2 . ... Q m dm mod n 





\ . or by performing operations of the type: 
\ D - r.Q u dl .Qi, 2 d2 . ... Q iim dm mod Pi 

\and then by applying the Chinese remainders method. 
\ transmission means to transmit one or more 
commitments R and one or more responses D; 
there are\as many responses D as there are challenges d as 
there are \ommitments R, each group of numbers R, d, D 
forming a triblet referenced {R, d, D}. 

7. System according to claim 6, designed to prove the 
10 authenticity of\an entity called a demonstrator and an entity 
called a controller, 

the said system being such that it comprises: 

a demonstrator device associated with the 
demonstrator entity\ the said demonstrator device being 
15 interconnected with \he witness device by interconnection 
means and possibly raking the form especially of logic 
microcircuits in a nomadV object, for example the form of a 
microprocessor in a microtorocessor-based bank card, 

- a controller deviceX associated with the controller 
20 entity, the said controller devfce especially taking the form of 
a terminal or remote server\ the said controller device 
comprising connection means for its electrical, 
electromagnetic, optical or acouWic connection, especially 
through a data-processing commutations network, to the 
25 demonstrator device; \ 

the said system enabling the execution of the following 
steps: \ 

. Step 1: act of commitment R \ 
at each call, the means of computation for the commitments R 
30 of the witness device compute each commitnWt R by applying 
the process specified according to claim 1, \ 

the witness device has means of\ transmission, 
hereinafter called the transmission means ok the witness 
device, to transmit all or part of each commitment R to the 
35 demonstrator device through the interconnection means, 
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V the demonstrator device also has transmission means, 

hereinafter called the transmission means of the demonstrator 
deWce, to transmit all or part of each commitment R to the 
controller device through the connection means; 
5 Nstep 2: act of challenge d 

the\ controller device comprises challenge production 
means foX the production, after receiving all or part of each 
commitment R, of the challenges d equal in number to the 
number of commitments R, 
10 the controller device also has transmission means, 

hereinafter denofed transmission means of the controller, to 
transmit challenges\d to the demonstrator through connection 
means, \ 

. Step 3: act of response D 
15 the means of reception of the challenges d of the witness 

device receive each challe^se d coming from the demonstrator 
device through the interconnection means, 

the means of computation of the responses D of the witness 
device compute the responses^ D from the challenges d by 
20 applying the process specified according to claim 1, 
. Step 4: act of checking\ 
the transmission means of the demonstrator transmit each 
response D to the controller, \ 
the controller device also comprises: \ 
25 - computation means, hereinafter called the computation 

means of the controller device, \ 

- comparison means, hereinafter called the comparison 
means of the controller device, \ 
case where the demonstrator has transmitted a part o f 
30 each commitment R \ 

if the transmission means of the demonstrator have 
transmitted a part of each commitment R, the cosrnputation 
means of the controller device, having m public values Gi, G 2 , 
G m , compute a reconstructed commitment R\ frtfm each 
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challenge d and each response D, this reconstructed 
commitment R' satisfying a relationship of the type: 



R' ee G! dl .G 2 d2 



... G m dm D v mod n 



or \i relationship of the type 

R'= D v /Gi dl .G 2 d2 . ... G m dm . mod n 
the comparison means of the controller device compare 
each reconstructed commitment R 1 with all or part of each 
commitment & received, 

case where the controller has transmitted the 
totality of eaclk commitment R 

if the transmission means of the demonstrator have 
transmitted the totality of each commitment R, the 
computation means \and the comparison means of the 
controller device, having m public values Gi, G 2 , G m 
ascertain that each commitment R satisfies a relationship of 
the type 

R = Gi dl .G 2 d \... G m dm . D v mod n 

or a relationship of the type 
R ee D7Gi dl .G 2 d ' 

8. System according lo clai^to 6, designed to give proof to 
an entity known as a controller, of the integrity of a message 
M associated with an entity known \s a demonstrator, 
the said system being such that it comprises 

a demonstrator device Nassociated with the 
demonstrator entity, the said demonstrator device being 
interconnected with the witness device\ by interconnection 
means and possibly taking the form especially of logic 
microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

- a controller device associated with \the controller 
entity, the said controller device especially taking: the form of 
a terminal or remote server, the said controller device 
comprising connection means for its \ electrical, 
electromagnetic, optical or acoustic connection, ^specially 



... G m dm mod n 
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through a data processing communications network, to the 
instrator device; 

le said system enabling the execution of the following 

steps: 

) 1: act of commitment R 

at d#ch call, the means of computation of the 
commitments R of the witness device compute each 
commitment \R by applying the process specified according to 
claim 1, 

the witnes\ device has transmission means, hereinafter 
called the transmission means of the witness device, to 
transmit all or partVof each commitment R to the demonstrator 
device through the\interconnection means, 

. Step 2: act (if challenge d 

the demonstratorX device comprises computation means, 
hereinafter called trie computation means of the 
demonstrator, applying aNhashing function h whose arguments 
are the message M and al\or part of each commitment R to 
compute at least one token 

the demonstrator devicfe also has transmission means, 
hereinafter known as the ^transmission means of the 
demonstrator device, to transmk each token T through the 
connection means to the controller device, 

the controller device also has challenge production means for 
the production, after having recei^d the token T, of the 
challenges d in a number equal to the\number of commitments 
R, 

the controller device also has V transmission means, 
hereinafter called the transmission means\of the controller, to 
transmit the challenges d to the demonstrator through the 
connection means; 

. Step 3: act of response D 

the means of reception of the challenges \l of the witness 
device receive each challenge d coming from they demonstrator 
device through the interconnection means, 
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the means of computation of the responses D of the witness 
vice compute the responses D from the challenges d by 
applying the process specified according to claim 1, 
tep 4: act of checking 
the\ transmission means of the demonstrator transmit 
each respcmse D to the controller, 

the controller device also comprises computation means, 
hereinafter calied the computation means of the controller 
device, having m\public values Gi, G 2 ,..., G m , in order to firstly 
10 compute a reconstructed commitment R\ from each challenge 
d and each response D, this reconstructed commitment R' 
satisfying a relationship of the type: 

R' ee G! d \G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 
15 R'^ D v /G! dl .G 2 d2 . ... G m dm mod n 

then, secondly, compute a token T by applying the 
hashing function h having as arguments the message M and all 
or part or each reconstructed commitment R\ 
the controller device also has comparison means, hereinafter 
20 known as the comparison means of the controller device, to 
compare the token T with the received token T. 

9. System according to claim 6, designed to produce the 
digital signature of a message M, hereinafter known as the 
signed message, by an entity called a signing entity; 
25 the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 
Signing operation 

30 the said system being such that it comprises a signing device 
associated with the signing entity, the said signing device being 
interconnected with the witness device by interconnection 
means and possibly taking the form especially tff logic 
microcircuits in a nomad object, for example the forms^ of a 

3 5 microprocessor in a microprocessor-based bank card, 




\he said system enabling the execution or the following steps: 
\ . Step 1: act of commitment R 

\ at each call, the means of computation of the 
commkments R of the witness device compute each 
5 commitment R by applying the process specified according to 
claim 1, \ 

the Nvitness device has means of transmission, 
hereinafter called the transmission means of the witness 
device, to transmit all or part of each commitment R to the 
10 signing device through the interconnection means, 
. Step 2: a^t of challenge d 

the signing \device comprises computation means, 
hereinafter called the computation means of the signing 
device, applying a hashing function h whose arguments are the 
15 message M and all or patt of each commitment R to compute a 
binary train and extract, \from this binary train, challenges d 
whose number is equal to rhe number of commitments R, 
. Step 3: act of response D 

the means for the reception of the challenges d, receive 
20 each challenge d coming from the signing device through the 
interconnection means, \ 

the means for computing the\esponses D of the witness 
device compute the responses D from the challenges d by 
applying the process specified accordingyto claim 1, 
25 the witness device comprises Vransmission means, 

hereinafter called means of transmission o\ the witness device, 
to transmit the responses D to the signing device through the 
interconnection means. 

10. System according to claim 9, designed to prove the 
30 authenticity of the message M by checking the Signed message 
by means of an entity called the controller; 
Checking operation 

the said system being such that it comprises ^controller 
device associated with the controller entity, the said Controller 
35 device especially taking the form of a terminal or\ remote 
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irver, the said controller device comprising connection 
m\ans for its electrical, electromagnetic, optical or acoustic 
connection, especially through a data-processing 
communications network, to the signing device; 

le said signing device associated with the signing entity 
comprises transmission means, hereinafter known as the 
transmission means of the signing device, for the transmission, 
to the controller device, of the signed message through the 
connection means, in such a way that the controller device has 
a signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

the controller^ device comprises: 

- computation Vieans hereinafter called the computation 
means of the controller device, 

- comparison means, hereinafter called the comparison 
means of the controller device. 

case where \the controller device has 
commitments R, challenges d, responses D 

if the controller has Vommitments R, challenges d, 
responses D, 

. . the computation ancK comparison means of the 
controller device ascertain that\ the commitments R, the 
d and the responses D^satisfy relationships of the 



challenges, 
type 



R G! dl .G 2 



d2 



Gdm 
m 



mod n 



or a 



relationship of the type 
R = DVG! dl .G 2 d2 . 



G m dm .Vnod n 
comparison means 



of the 



. . the computation and 
controller device ascertain that the message\ M, the challenges 
d and the commitments R satisfy the hashingyunction: 
d = h (message, R) 

. case where the controller device h^s challenges 
d and responses D 
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if \he controller device has challenges d and responses D, 
le computation means of the controller device, on 
the basis ©f each challenge d and each response D, compute 
commitments, R' satisfying relationships of the type: 



R ^ G! dl .G 2 



d2 



G dm . D v mod n 



G m dm . mod n 



or a relationship of the type 

== D v /G 1 d, .G 2 d2 . 
the computation and comparison means of the 
controller device \ascertain that the message M and the 
challenges d satisfy \the hashing function: 

d = >h (message, R') 
case where \ the controller device has 
commitments R and Vesponses D 

if the controller \device has commitments R and 
responses D, 

. . the computation m&ans of the controller device apply 
the hashing function and compute d' such that 
d' = h (message, R) 
. . the computation ancK comparison means of the 
controller device ascertain thaK the commitments R, the 
challenges d' and the responses D\satisfy relationships of the 
type: 

- - G^.G 2 



R = G, dl .G 2 d2 . ... G m dni . V mod n 



or a relationship of the type 
R = D v /G! dl .G 2 d2 . 



G m dm \mod n 
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1 1 . Terminal device associated wrth an entity, taking 
the form especially of a nomad object, for example the form of 
a microprocessor in a microprocessor-based bank card, 
designed to prove to a controller device: 

- the authenticity of an entity and/or 

- the integrity of a message M associated wrth this entity; 
by means of all or part of the following parameters or 

derivatives of these parameters: 

m pairs of private values Q l5 Q 2 , ... Q m and public values 
Gi,G 2 , ... G m (m being greater than or equal to 1), 




\ - a public modulus n constituted by the product of f 
prime factors p u p 2 , ... Pf (f being greater than or equal to 2), 

the said modulus and the said private and public values 
being related by relations of the following type 
5 \ Gi.Qi v = 1 mod n or Gi = Q* v mod n; 

whereS,v denotes a public exponent of the form: 

\ v = 2 k 

where k\is a security parameter greater than 1: 
the said A public values Gi being squares gj 2 of m distinct 
10 base numbers gi,\g2, ... gm> smaller than the f prime factors pi, 
p 2 , ... pf: \ 

the said pi, p\ ... pf prime factors and / or the said m 
base numbers gi, g\ ... g m being produced such that the 
following conditions arte satisfied: 
15 First condition \ 

each of the equation^: 

x v gi 2 mod n (1) 
can be resolved in x in the ring of integers modulo n 
Second condition \ 
20 if Gi = Qi V mod n, among the m numbers q, obtained by 

taking Qi squared modulo n, k-l\ times, one of them is not 
equal to ^gj (in other words is not trivial), 

if Gi.Qi V = 1 mod n, among the m numbbers qj obtained by taking 
the inverse of Qi modulo n squared modulo n, k-1 times, one 
25 of them is not equal to j±g[ (in other worths is not trivial) ; 
Third condition \ 
at least one of the 2m equations \ 

x 2 = gimod n (2) \ 
x 2 = -gjmod n (3) \ 
30 can be resolved in x in the riiig of integers 

modulo n. \ 

the said terminal device comprises a witness device 
comprising \ 

- a memory zone containing the f prime factors \pi and/or 
35 the m numbers of bases gi and/or parameters of the\Chinese 
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remainders of the prime factors and/or the public modulus n 
and/or the m private values Q { and/or the f.m components 
(Qij = Qi mod pj) of the private values Q f and of the public 
exponent v; 

the said witness device also comprises: 

random value production means, hereinafter called 
randonX value production means of the witness device, 

- computation means, hereinafter called means for the 
computatiofi of commitments R of the witness device, to 
compute coiHmitments R in the ring of integers modulo n; 
each commitment being computed: 

• either\by performing operations of the type: 
R = r v mod n 

where r is a random value produced by the random value 
production means, and \ is such that 0 < r < n. 

• or by performing operations of the type: 

Rj =5 ri V mod pj 

where V\ is a randomV value associated with the prime 
number pi such that 0 < T\ < \ each v\ belonging to a collection 
of random values {r h r 2 ,.«. rv} produced by random value 
production means, then by applying the Chinese remainders 
method; 

the said witness device also comprises: 

- reception means hereinafter \alled the means for the 
reception of the challenges d of the wkness device, to receive 
one or more challenges d; each challenge d comprising m 
integers d { hereinafter called elementary challenges; 

- computation means, hereinafter caWed means for the 
computation of the responses D of the witness device for the 
computation, on the basis of each challenge of a response 
D, 

. either by performing operations of the typfc 

D ^ r.Q 1 dl .Q 2 d2 . ... Q m dm mod n 
. or by performing operations of the type: 



35 



D = r.Q u dl .Q ii2 d2 . 



Qi, m dm mod Pi 




and then by applying the Chinese remainders method. 
\ transmission means to transmit one or more 
commitments R and one or more responses D; 
there are \s many responses D as there are challenges d as 
5 there are commitments R, each group of numbers R, d, D 
forming a triptet referenced {R, d, D}. 

12. Terminal device according to claim 11, designed to 
prove the authenWcity of an entity called a demonstrator to an 
entity called a controller; 
10 the said terminal \device being such that it comprises a 
demonstrator device Nassociated with the demonstrator entity, 
the said demonstrator \ device being interconnected with the 
witness device by interconnection means and being capable 
especially of taking the form of logic microcircuits in a nomad 
15 object, for example the \prm of a microprocessor in a 
microprocessor-based bank c^ard, 

the said demonstrator device also comprising connection 
means for its electrical, electromagnetic, optical or acoustic 
connection, especially through a data-processing 
20 communications network, to the controller device associated 
with the controller entity, the said controller device especially 
taking the form of a terminal or remote server; 

the said terminal device enabling\ the execution of the 
following steps: \ 
25 . Step 1: act of commitment R \ 

at each call, the means of commutation of the 
commitments R of the witness device \ compute each 
commitment R by applying the process specified according to 
claim 1, \ 
30 - the witness device has transmission meansv hereinafter 

called the transmission means of the witness\ device to 
transmit all or part of each commitment R to the demonstrator 
device through the interconnection means, \ 

the demonstrator device also has transmission^ means, 
35 hereinafter called the transmission means of the 





demonstrator, to transmit all or part of each commitment Rto 
the corkroller device, through the connection means; 

. SU e P s 2 and 3: act of challenge d, act o f 
response \ D 

5 the nikans of reception or the challenges d of the witness 

device receive each challenge d coming from the controller 
device through^ the connection means between the controller 
device and tHe demonstrator device and through the 
interconnection Vieans between the demonstrator device and 

10 the witness deviceXthe means of computation of the responses 
D of the witness dtevice compute the responses D from the 
challenges d by appVing the process specified according to 
claim 1, \ 

. Step 4: act ofXchecking 

15 the transmission means of the demonstrator transmit 

each response D to the controller that carries out the check. 

13. Terminal device According to claim 11, designed to 
give proof to an entity, know^i as a controller, of the integrity 
of a message M associated \ with an entity known as a 

20 demonstrator, \ 

the said terminal device being such that it comprises a 
demonstrator device associated wrth the demonstrator entity, 
the said demonstrator device beingy interconnected with the 
witness device by interconnection means and being capable 

25 especially of taking the form of logic Aicrocircuits in a nomad 
object, for example the form of aXmicroprocessor in a 
microprocessor-based bank card, \ 

the said demonstrator device comprising connection 
means for its electrical, electromagnetic, Vrtical or acoustic 

30 connection, especially through a \ data-processing 
communications network, to the controller device associated 
with the controller entity, the said controller dWice especially 
taking the form of a terminal or remote server; \ 

the said terminal device being used to \execute the 

35 following steps: \ 
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. Step 1: act of commitment R 

.at each call, the means of computation of the 
commitments R of the witness device compute each 
commitment R by applying the process specified according to 
claim 1; 

the witness device has means of transmission, 
hereinafter called the transmission means of the witness 
device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

. Steps 2 \nd 3: act of challenge d, act o f 
response D 

the demonstrato r\ device comprises computation means, 
hereinafter called tHe computation means of the 
demonstrator, applying abashing function h whose arguments 
are the message M and all\or part of each commitment R to 
compute at least one token 

the demonstrator devices, also has transmission means, 
hereinafter known as the transmission means of the 
demonstrator device, to transmit^ each token T, through the 
connection means, to the controlle\ device, 

(the said controller device produces the same number of 
challenges d as the number of commitments R y after receiving 
the token T), 

the means of reception of the challenges d of the witness 
device receive each challenge d coming Yfrom the controller 
device, through the interconnection moans, between the 
controller device and the demonstrator devicfe and through the 
interconnection means between the demonstrator device and 
the witness device, 

the means of computation of the responses D of the 
witness device compute the responses D from the\ challenges d 
by applying the process specified according to clainj 1, 

. Step 4: act of checking 
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the transmission means of the demonstrator send each 
aonse D to the controller device which carries out the 
leci 

. Terminal device according to claim 11, designed to 
produce\ the digital signature of a message M, hereinafter 
known a\ the signed message, by an entity called a signing 
entity; 

the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

the said terminal device being such that it comprises a 
signing device associated with the signing entity, the said 
signing device being \nterconnected with the witness device by 
interconnection means \md possibly taking especially the form 
of logic microcircuits in\ nomad object, for example the form 
of a microprocessor in a\microprocessor-based bank card, 

the said signing devices, comprising connection means for 
its electrical, electromagnetic^ optical or acoustic connection, 
especially through a data-proc§ssing communications network, 
to the controller device associated with the controller entity, 
the said controller device especially taking the form of a 
terminal or remote server; 
Signing operation 

the said terminal device being\ used to execute the 
following steps: 

. Step 1: act of commitment R 

at each call, the means of computation of the 
commitments R of the witness devices, compute each 
commitment R by applying the process specified according to 
claim 1, the witness has means of transmission, hereinafter 
called the transmission means of the witness device, to 
transmit all or part of each commitment R to\ the signing 
device through the interconnection means, 

. Step 2: act of challenge d 
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the signing device comprises computation means, 
hereinafter called the computation means of the signing 
device, applying a hashing function h whose arguments are the 
message Mv and all or part of each commitment R to compute a 
binary train\and extract, from this binary train, challenges d 
whose numberys equal to the number of commitments R, 
. step 3: Nact of response D 

the means for the reception of the challenges d of the 
witness device receive the challenges d coming from the 
signing device through the interconnection means, the means 
for computing the responses D of the witness device compute 
the responses D from theV challenges d by applying the process 
specified according to claini 1, 

the witness device Ncomprises transmission means, 
hereinafter called means of transmission of the witness device, 
to transmit the responses D to the signing device, through the 
interconnection means. 

15. Controller device especially taking the form of a 
terminal or remote server associateav with a controller entity, 
designed to prove: 

- the authenticity or an entity and/or 

- the integrity of a message M associated with this entity, 
by means of all or part of the following parameters or 

derivatives of these parameters: 

- m pairs of public values G l5 G 2 , ... G m \(m being greater 
than or equal to 1), 

- a public modulus n constituted by the\ product of f 
prime factors p lt p 2 , ... Pf (f being greater than o\ equal to 2), 
unknown to the controller device and the associated, controller 
entity, 

the said modulus and the said private and publ\c values 
being related by relations of the following type 

Gi. Qi v = 1. mod n or Gi = Qi v mod n; 
where v denotes a public exponent of the form: 

v = 2 k 
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where k is a security parameter greater than 1; 
where Q t is a private value, unknown to the controller 
deVice\ associated with the public value Gj ; 

thev said m public values G\ being squares gi of m distinct 
base numt^rs g u g 2 , ... g m . smaller than the f prime factors pi, 
p 2 , ... Pf 

the said\pi, p 2 , ... Pf prime factors and / or the said m 
base numbers \j, g 2 , ... g m being produced such that the 
following conditions are satisfied: 
First condition 

each of the eqt^ations: 

gi 2 mod n (1) 
can be resolved in \ in the ring of integers modulo n 
Second condition 

if Gi = Qi v mod n, amcW the m numbers qj obtained by 
taking Qi squared modulo rfK k-1 times, one of them is not 
equal to *gi (in other words is not trivial). 

if Gi.Qi V = 1 mod n, among the irt\numbers qi obtained by taking 
the inverse of Qi modulo n square*! modulo n, k-1 times, one 
of them is not equal to _±gi (in other \vords is not trivial) ; 
Third condition 

at least one of the 2m equations 

x 2 = giinod n (2) 



x 2 = -gjmod n (3) 



ers modulo n. 
15, designed to 
nstrator to an 
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can be resolved in x in the ring of ii 

16. Controller device according to clai 
prove the authenticity of an entity called a 
entity called a controller; 

the said controller device comprising connexion means 
for its electrical, electromagnetic, optical or\ acoustic 
connection, especially through a data-pYocessing 
communications network, to a demonstrator device as\ociated 
with the demonstrator entity; 

the said controller device being used to execute\ the 
following steps: 




IP 



IOS966S ,021803 



93 



^1 \ 

/_ / challenj 



30 



Steps 1 and 2; act of commitment R, act o f 
d 

/ the said ctsmtroller device also has means for the reception of 
/ all or parK of the commitments R coming from the 
5 demonstrator \levice through the connection means, 

the controller device has challenge production means for 
the production, after receiving all or part of each commitment 
R, of the challenges d in a number equal to the number of 
commitments R, each challenge d comprising m integers di 
10 hereinafter called eleiWentary challenges. 

the controller device also has transmission means, 
hereinafter called transmission means of the controller, to 
transmit the challenges d\to the demonstrator through the 
connection means; 
15 . Steps 3 and 4: act >rf response, act of checking 

the said controller device also \omprises: 

- means for the reception \of the responses D coming 
from the demonstrator device, through the connection means, 

- computation means, hereinafter called the computation 
20 means of the controller device, 

- comparison means, hereinafter \called the comparison 
means of the controller device, 

case where the demonstrator lias transmitted a 
part of each commitment R. 
25 if the reception means of the demonstrator have 

received a part of each commitment R, the computation means 
or the controller device, having m public values, Gi, G 2 , G m 
compute a reconstructed commitment R\ from e^ch challenge 



d and each response D, this reconstructed coi 
satisfying a relationship of the type : 



litment R' 



R f G, dl .G 2 d2 . 



dm 



D mod n 



or a relationship of the type 
R'e. D v /G, dl .G 2 d2 . 



G m dm mod n 
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* \ the comparison means of the controller device compare 

eachyeconstructed commitment R' with all or part of each 
' commitment R received, 

cake where the demonstrator has transmitted the 
5 totality of each commitment R 

if theV reception means of the controller device have 
received the\otality of each commitment R, the computation 
means and thev comparison means of the controller device, 
having m publiX values G 2 , G 2 , G m ascertain that each 
10 commitment R satisfies a relationship of the type : 

R ^ V".G 2 d2 . ... G m dm . D v mod n 
or a relationship^/ the type 

R ee D v /(^i dl .G 2 d2 . ... G m dm . mod n 
17. Controller device according to claim 15, designed to prove 
15 the integrity of a message associated with an entity known 
as a demonstrator, \ 

the said controller devicescomprising connection means 
for its electrical, electromagnetic, optical or acoustic 
connection, especially through a data-processing 
20 communications network, to \ demonstrator device 
associated with the demonstrator entW, 

the said controller device enabling the execution of the 
following steps: \ 

. Steps 1 and 2: act of commitment R, act o f 
25 challenge d \ 

the said controller device also has \means for the 
reception of tokens T coming from the demonstrator device 
through the connection means, \ 

the controller device has challenge production^ means for 
30 the production, after having received the token Y, of the 
challenges d in a number equal to the number of commitments 
R, each challenge d comprising m integers, hereinafter Vailed 
elementary challenges ; \ 

the controller device also has transmission measns, 
35 hereinafter called the transmission means of the controller 
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response D, act o f 



\G m dm . mod n 



device, \ to transmit the challenges 
through \he connection means; 

. St\ps 3 and 4: act of 
checking 

the said\controller device also comprises: 

- means Vor reception of the responses D coming from 
the demonstrator device, through the connection 
means, 

- computation^ means, hereinafter called the 
computation means of the controller device, having m 
public values (Si, G 2 , G m to firstly compute a 
reconstructed conamitment R', from each challenge d 
and each response >D, this reconstructed commitment 
R' satisfying a relationship of the type: 

R' = G! dl .G 2 d2 . .\G m dm . D v mod n 
or a relationship of the typ* 
R^ D v /G! dl .G 2 c 

then, secondly, compute a t&ken T by applying the 
hashing function h having as argument^ the message M and all 
or part of each reconstructed commitment R\ the controller 
device also comprises \ 

- comparison means, hereinafter caned the comparison 
means of the controller device, to compare \the token T with 
the received token T. 

18. Controller device according \to claim 15, 
designed to prove the authenticity of the message M by 
checking a signed message by means of an entity called a 
signed message; 

the signed message sent by a signing device Associated 
with a signing entity having a hashing function h (message, R), 
comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the response D; 
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Checking operation 

the said controller device comprising connection means 
for electrical, electromagnetic, optical or acoustic 

connection, especially through a data-processing 
communications network, to a signing device associated with 
the signing\entity, the said controller device having received 
the signed Vessage from the signing device, through the 
connection means, 

the controller device comprises: 

- computation means, hereinafter called the computation 
means of the controller device, 

- comparison vneans, hereinafter called the comparison 
means of the controller device; 

case wherey the controller device has 
commitments R, challenges d, responses D 

if the controller Was commitments R, challenges d, 
responses D, 

. . the computation and comparison means of the 
controller device ascertain Chat the commitments R, the 
challenges d and the responses \D satisfy relationships of the 
type 

R ^ G! dl .G 2 d2 . ... G m T- D v mod n 
or a relationship of the type 

R es D v /Gi dl .G 2 d2 . ... G m ^\ mod n 
. . the computation and comparison means of 
controller device ascertain that the i^iessage M and 
challenges d satisfy the hashing function 

d = h (message, R) 
case where the controller \ device 
commitments R and responses D 

if the controller device has commitments R 
responses D. 

. . the computation means of the controller device apply 
the hashing function and compute d' such that 
d' = h (message, R') 



the 
the 



has 



and 




the corfrmitation and comparison means 
controller device ascertain that the commitments 
challenges d' and the responses D satisfy relationships 
type: 

R = G, dl .G 2 d2 . \G m dm D v mod n 



of the 
R, the 
of the 



or a relationship of the typl 
R = D v /G! dl .G 2 d2 . 



dm 



mod n 



